Wordpress DoS Attack Script Solution

20 October, 2009 | Wordpress

There is a script knocking about on the internet at the moment that allows an attacker to run some code that will bring your Wordpress blog to it's knees. This will more than likely cause your host to get annoyed as well.

What it does it performs a trackback request to the file wp-trackback.php, but it sends a massive (over 200,000 characters) string that Wordpress will take at face value and accept as a legitimate trackback. The first time this is run Wordpress will write it to the database, but the every time after that it will run a select query to see if the trackback exists. Even though this isn't a legitimate trackback Wordpress will still process it on every request, causing a massive overhead as each large string is processed.

One solution is to simply stop access to the offending file by using an Apache rule in your .htaccess file to prevent all access to this file.

<Files ~ "wp-trackback.php"> Order allow,deny Deny from all </Files>

This might be a good solution if you don't care about trackbacks, but if you want them then there exists another fix that involves changing the wp-trackback.php file to exit if the charset if quite long. Open the file and look for line 47.

$charset = $_POST['charset'];   // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

Add the following lines:

$charset = $_POST['charset'];   // DoS attack fix. if ( strlen($charset) > 50 ) {  die; }   // These three are stripslashed here so that they can be properly escaped after mb_convert_encoding()

This will stop any script kiddie from running the exploit script and killing your blog, but you might also want to add a check to make sure that the title variable isn't a stupid size as well. On line 56 (assuming you implemented the previous fix) add the following lines.

if ( strlen($title) > 200 ) {  die; }

This assumes that the trackback's post won't be longer than characters. There might be some legitimate posts that do have titles this long, but it is my opinion that these are probably poor quality posts and so okay to ignore.

Many thanks to Steve Fortuna's post New 0-Day Wordpress Exploit for pointing out and providing a fix to this issue.

UPDATE

Wordpress released an update this morning (V2.8.5) to fix this and other exploits. As usual Wordpress are quick in releasing patches for fixing exploits and vulnerabilities.

Written by Philip Norton.

Related posts:

13 Responses to “Wordpress DoS Attack Script Solution”

  1. Steve Fortuna | October 20th, 2009 1:46 pm #
    Hey, I just wanted to point out that that Jarreltech copied my post word for word from stevefortuna.com. I am quite surprised to see someone steal my post word for word, as my blog is very small and new. If you're not sure if I was the one copying or not, check out the time on my post, along with this http://digg.com/users/tcpjack. -Steve
  2. Philip Norton | October 20th, 2009 1:59 pm #
    Thanks for the update Steve, I have updated the post to give credit where credit is due. :)
  3. Steve Fortuna | October 20th, 2009 2:00 pm #
    Thanks. I appreciate it.
  4. Glenn Ansley | October 20th, 2009 2:07 pm #
    We just created a quick plugin that accomplishes the same thing as your code in the event that some people may be uncomfortable editing PHP or core WordPress files. You can find it here: http://fullthrottledevelopment.com/wordpress-plugin-to-stop-trackback-dos-attacks
  5. Tom | November 10th, 2009 2:37 am #
    can we use this for a normal website? NOT WP
  6. Philip Norton | November 10th, 2009 10:29 pm #
    @Tom This code is for a Wordpress site, but the same principle can be applied to any script of this type really. What sort of thing did you have in mind?
  7. Alain | November 12th, 2009 3:59 am #
    I am sorry, but wordpress 2.8.5 not fix the problem. our site in v2.8.5 was the victim this past weekend. see log excerpt below: 91.121.120.153 http://www.xxxxx.com - [10/Nov/2009:11:48:30 +0100] "POST /wp-trackback.php HTTP/1.1" 200 699 "-" "-" 360.000 lines in the log !!!! result: server down by host for 2 days.
  8. Brandon | December 14th, 2009 9:27 pm #
    Great post , You definately hit the nail on the head, I just don't understand why people quite get what you're saying. I'm not for sure how many people I've talked to concerning this very thing in the past week, and they just can't get it. , Excellent post!

Trackbacks

  1. WordPress Plugin to Stop Trackback DOS attacks | FullThrottle Development
  2. WordPress MU WPMU Multi-User Blogs Help Tips | Behind the Scenes » Quick Fix for WordPress Trackback DoS Exploit
  3. Wordpress - русские шаблоны и плагины
  4. Sicherheitslücke bei WordPress ermöglichst Trackback-DoS-Attacken | Webseiten-Infos.de
  5. WordPress 2.8.5 tugevdus

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>